Potential data breach of unemployment system occurred in April

Posted at 6:49 PM, May 28, 2020

FRANKFORT, Ky. (LEX 18) — During Gov. Andy Beshear's Thursday press conference, it was announced that there was a potential data breach of the Unemployment Insurance portal back in April. Josh Benton with the Department of Education and Workforce Development announced that they were notified of the breach on April 23 around 9:17 am.

"On April 23 around 9:17 am, our offices and technology services were made aware of a potential vulnerability in the UI portal," Benton said. "We immediately spoke to the individual who reported this incident and according to the report, they could view identity verification documents that had been uploaded by other UI claimants."

Benton explained that the UI portal was taken down completely by 11:30 am. By noon, there was a temporary solution put in place that prevented all unemployment claimants from viewing any identity documents.

By midnight that night, a security team that had been established created a software patch to permanently resolve the issue.

"It is important to note that April 23 is the only date that this was ever reported to us. We have not received any reports of it since," Benton noted.

Benton added that there are no indications that the UI system was infiltrated from the outside and that it was a situation that identity verification documents could only be potentially viewed by other UI claimants.

"It is also important to know that not everyone that logged into the UI that day would've had this experience," Benton said. "It is only for individuals who had navigated through their account summary to view UI identity documents. So we feel like there is a limited number of individuals who could've experienced this. But with that initial verified report, we acted to take the system down as soon as the incident was verified and the individual who reported it explained to us what they saw."

Benton emphasized that precautions have been taken since then, there has been no additional incidents like this one and nothing to indicate that there was an external infiltration of the system.

"I think it is important to know for those who did file a claim for unemployment insurance, that this revealing of data could've only happened to the individuals who had uploaded identity verification documents that would've been prior to April 23," Benton said. "It is a limited number of UI claimants that even could have had their identity been accessible."

Major credit reporting agencies have been notified of the incident, and direct information will be sent to those who may have experienced this data breach.

When asked why the public is just now being notified of the potential data breach if it happened on April 23, and Beshear responded "The cabinet believed it did not qualify as a data breach under the law. I do."

Beshear added that he was not notified of the incident until last week.